News

Resources

Bitdefender, a leading global cybersecurity company protecting over 500 million users worldwide, continues to innovate with the introduction of “Detection of Cyberbullying and Online Predators” features included in Parental Control... Read More

BUCHAREST, Romania/SANTA CLARA, Calif, September 17, 2018 – a leading global cybersecurity company protecting over 500 million users across 150 countries, announced today that CRN®, a brand of The Channel... Read More

Bitdefender GandCrab decryptor for Syrian users now available

We’re happy to announce the release of a new decryptor for victims of GandCrab ransomware. The tool can only be used by a limited pool of victims located in Syria, and works for GandCrab ransomware versions 1 through 5.

The release of these keys is not an act of redemption of the notorious cybercrime ring that allegedly makes hundred of thousand dollars a month from defrauding victims. It is instead the group’s response to the desperate Tweet of a Syrian father who lost his sons to the war and all the memories of his sons to ransomware.

Our decryption utility – the second one we have released so far to help users get GandCrab encrypted files back – can be downloaded from its product page on Bitdefender Labs. However, there are some things that you should know before you download it:

This tool is built around the decryption keys released by the GandCrab operators themselves. These keys are associated with Syrian victims, according to their release.

While this decryption tool allows Syrian victims to get their information back, there is no guarantee that all victims will be able to successfully decrypt their data. In some circumstances, residents of a country might be inadvertently identified as located somewhere else based on the exit node’s IP address.

This tool DOES NOT WORK for GandCrab victims located outside Syria. Of course, there is no harm in running the tool and attempting to decrypt, but we will not be able to provide technical support in case you are located outside Syria and decryption fails.

If your computer has fallen victim to GandCrab and you live somewhere else than Syria, do not despair, and most importantly, do not pay up. Instead, take a backup of the ransomed files, along with the ransom note and store them somewhere safe, because help is coming really soon.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Are you located in Syria? If you are, send the ransom note to forensics@bitdefender.com and we'll investigate further. Please note that, as per the blog post, this tool does not work for victims outside Syria.

It says right there in the title. You can't, it only includes the decryption keys for Syrian users, as they were released publicly by GandCrab. Hang on, we're working on a tool to address other regions.

Hi and Thanks to the efforts that are being made to deal with the ransomwares.

First of all, I apologize for my weak English,

My name is Mohammad and i`m from IRAN, i`m an IT Employee at Karafarin Bank Company, on 22 Aug 2018, 4 devices from my servers were attacked by Gandcrab v4.0 and this created major problems at my workplace.

After encountering this problem, I began to negotiate with the ransom support team through the link in the Ransome-Note txt file via TOR Browser and through them I managed to get the Decrypter file and private.key file from one of the servers. The problem was that, given the fact that these 4 servers Linked through shared folders, and they were infected. I run the Decrypter and private.key file that I received on each of the four servers, but this key only decrypted one of the servers and deleted all the Ransome-Note txt file from all servers (this feature was located on the Decrypter file) . That's why I do not have any Ransome-Note txt files for my other 3 servers. Now my main problem is Ransome-Note txt files of other 3 Servers to Decrypting files. If you think that the Decryptor and the private.key that have been sent to me will help resolve the issue, please ask me to send them for you.

You can send us the decryption tool on one of your servers. Just like the message file on the remaining servers via gmail maytinhcn. The tools that you decode for a good host can be fortunate to support other victims in our country. Thanks.

Sure there is. Download the tool again – it has been updated in between. Run it and, if anything fails, write us at forensics@bitdefender.com. Please attach the logs in %temp%\BDRemovalTool\BDRansomDecryptor. Thanks!

i try this link but download no completted for network error . please help me
https://labs.bitdefender.com/2018/10/bitdefender-law-enforcement-solve-for-multiple-versions-of-gandcrab-with-new-decryptor/

Open any folder on your computer. Write that file path as it is – %temp%\BDRemovalTool\BDRansomDecryptor in the address bar above. You will be redirected to the actual folder. Get the contents, attach it to an e=mail and send it our way.

I tried using the decryptor for version 5.0.4 but the program fails to even start the scan with Initialization failed error. I have send in some files with the text file along with logs from the folder to the team. Hoping that this issue will be addressed. May be there is a command line tool? or any one who was able to successfully run the program can provide some help and decrypt the files of other people somehow?
I want to know if the files can be decrypted some how else i want to do a clean installation of windows and forget about them for ever.